Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle

ABSTRACT

A vehicular data communication system is disclosed. The vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.

CROSS REFERENCE TO RELATED APPLICATION

The present application is a divisional application of application Ser. No. 13/771,696, filed Feb. 20, 2013 and is based on Japanese Patent Applications No. 2012-33945 filed on Feb. 20, 2012 and 2012-67383 filed on Mar. 23, 2012, disclosures of which are incorporated herein by reference.

TECHNICAL FIELD

The present disclosure relates to a vehicular data communication authentication system in which an external tool is connectable to an electronic control unit (ECU). The present disclosure also relates to a vehicular gateway apparatus connected with the vehicular data communication authentication system to partition the external tool from the ECU. The present disclosure also relates to a vehicular data communication system including a vehicular data communication apparatus connected with multiple nodes through a bus. The present disclosure also relates to such a vehicular data communication apparatus.

BACKGROUND

It is known that a data communication between electronic control units (ECUs) serving as nodes is performed through a bus, and that a data communication between an ECU and an external tool is performed through a bus. When the data communication is performed between the external tool and the ECU, it becomes possible to access to the ECU by connecting the external tool to the bus, and it becomes possible to rewrite a control program of the ECU and read out a data from the ECU (see Patent Document 1 for example).

-   Patent Document 1: JP 2004-192277A

Specifications of data communication standards and connection interfaces between an external tool and a bus are open to the public. Thus, not only a proper worker can connect a proper external tool to the bus but also a third party having a bad intention can connect an improper external tool to the bus. If the improper external tool is connected to the bus, the vehicle may be subject to attack such as the improper rewriting of the control program of the ECU, the improper reading out of the data from the ECU (so called a masquerading), or the like. The controller area network (CAN) is a data communication standard between the external tool and the ECU. In the CAN, since a data frame is broadcasted, wiretapping and analysis are relatively easy. Additionally, the CAN provides a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not provided.

Because of the above, protection measures against the improper connection of the external tool to the bus are desired.

Further, enhancement of security in data communication between ECUs and between the external tool and the ECU is desired. Although it may be possible to enhance the security by providing a node with a data encryption function, this leads to various difficulties such as configuration complication, processing load increase, and the like.

SUMMARY

In view of the foregoing, it is an object of the present disclosure to provide a vehicular data communication authentication system and a vehicular gateway apparatus that can prevent damages resulting from a connection of an improper external tool and can enhance security even if the improper external tool is connected to a bus connected with an ECU.

It is also an object of the present disclosure to provide a vehicular data communication system and a vehicular data communication apparatus that can enhance security in data communication while minimizing node load even if a node does not have a data encryption function.

According to a first example of embodiments, a vehicular data communication authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of the external tool connected to the bus. The authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.

According to a second example of embodiments, a vehicular data communication authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of a vehicle state. The authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.

According to a third example of embodiments, a vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of the external tool connected to the bus. The authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device (102 e); a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.

According to a fourth example of embodiments, a vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of a vehicle state. The authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device (102 e); a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.

According to the above vehicular data communication authentication systems and the vehicular gateway apparatuses, even if an improper external tool is connected to a bus connected with an ECU, it is possible to prevent damages resulting from a connection of the improper external tool and it is possible to enhance security.

According to a fifth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each combination of one bus connected with a data source node and another bus connected with a data destination node, the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data. in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each bus connected with the data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.

According to a sixth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each combination of a data source node and a data destination node, the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data. In cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.

According to a seventh example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each identifier indicative of class a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted. In cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, an encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each identifier indicative of the type of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.

According to an eighth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each data storage area of a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted. In cases where the vehicular data communication apparatus receives a data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each data storage area of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.

According to the vehicular data communication systems and the vehicular data communication apparatuses, it is possible to enhance security in data communication while minimizing node load even if a node does not have a data encryption function.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description made with reference to the accompanying drawings. In the drawings:

FIG. 1 is a functional block diagram illustrating a data communication authentication system of a first example of a first embodiment;

FIG. 2 is a sequence diagram illustrating operations;

FIG. 3 is a sequence diagram illustrating operations performed after those in

FIG. 2;

FIG. 4 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus discards a data request command in response to a negative result of authentication;

FIG. 5 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus includes a timer for maintaining an authenticated state;

FIG. 6 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an external tool;

FIG. 7 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an access target ECU;

FIG. 8 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a vehicle state satisfies a predetermined condition;

FIG. 9 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a bus is in a communicating state;

FIG. 10 is a functional block diagram illustrating a data communication authentication system of a second example of the first embodiment;

FIG. 11 is a sequence diagram illustrating operations of the second example of the first embodiment;

FIG. 12 is a functional block diagram illustrating a data communication authentication system of a third example of the first embodiment;

FIG. 13 is a sequence diagram illustrating operations of the third example of the first embodiment;

FIG. 14 is a functional block diagram illustrating a data communication authentication system of a fourth example of the first embodiment;

FIG. 15 is a sequence diagram illustrating operations of the fourth example of the first embodiment;

FIG. 16 is a functional block diagram illustrating a data communication authentication system of a fifth example of the first embodiment;

FIG. 17 is a sequence diagram illustrating operations of the fifth example of the first embodiment;

FIG. 18 is a functional block diagram illustrating a data communication authentication system of a sixth example of the first embodiment;

FIG. 19 is a sequence diagram illustrating operations of the sixth example of the first embodiment;

FIG. 20 is a sequence diagram illustrating operations of a seventh example of the first embodiment;

FIG. 21 is a sequence diagram illustrating operations of an eighth example of the first embodiment;

FIG. 22 is a sequence diagram illustrating operations of a ninth example of the first embodiment;

FIG. 23 is a sequence diagram illustrating operations of a tenth example of the first embodiment;

FIG. 24 is a functional block diagram illustrating a vehicular data communication system of a first example of a second embodiment;

FIG. 25 is a sequence diagram illustrating operations in a first situation in accordance with the first example of the second embodiment;

FIG. 26 is a sequence diagram illustrating operations in a second situation in accordance with the first example of the second embodiment;

FIG. 27 is a sequence diagram illustrating operations in a third situation in accordance with the first example of the second embodiment;

FIG. 28 is a block diagram illustrating a encryption table and a decryption table in accordance with the first example of the second embodiment;

FIG. 29 is a functional block diagram illustrating a vehicular data communication system of a second example of the second embodiment;

FIG. 30 is a block diagram illustrating a encryption table and a decryption table in accordance with the second example of the second embodiment;

FIG. 31 is a functional block diagram illustrating a vehicular data communication system of a third example of the second embodiment;

FIG. 32 is a diagram illustrating a configuration of a data frame; and

FIG. 33 is a functional block diagram illustrating a vehicular data communication system of a fourth example of the second embodiment.

DETAILED DESCRIPTION

Embodiments will be described with reference to the drawings. Throughout the below-embodiments, like reference numerals are used to refer to like parts.

First Embodiment

A first embodiment will be described with reference to FIGS. 1 to 23.

First Example of First Embodiment

A first example of the first embodiment will be described with reference to FIGS. 1 to 9.

As shown in FIG. 1, in a vehicular data communication authentication system 101, a vehicular gateway apparatus 102 is connected with a bus 106 so that the gateway apparatus 102 partitions (separates) multiple electronic control units (ECUs) 103, 104 from an external tool 105 (an operating device) operable by an operator. In FIG. 1, two ECUs are illustrated as the multiple ECUs 103, 104. In the present embodiment, a portion of the bus 106 on an ECU side of the gateway apparatus 102 is referred to as an ECU-side bus 106 a. That is, the ECU-side bus 106 a is a bus for transmitting data between the gateway apparatus 102 and the ECUs 103, 104. A portion of the bus 106 on an external tool side of the gateway apparatus 102 is referred to as an external-tool-side bus 106 b. That is, the external-tool-side bus 106 b is a bus for transmitting data between the gateway apparatus 102 and the external tool 105.

The ECUs 103, 104 may include, for example, an engine ECU for controlling operation of the engine, a door lock ECU for controlling operation of door lock mechanism, a navigation ECU for controlling navigation operation, a meter ECU for controlling operation of a meter (indicator), or the like. The number of ECUs may be two, three or more, or may be one. The external-tool-side bus 106 b is provided with a connector 107 to which the external tool 105 is detachably connectable. By being connected to the connector 107, the external tool 105 is connected to the external-tool-side bus 106 b and becomes able to perform the data communication with the gateway apparatus 102.

The bus 106 adopts a controller area network (CAN) as a data communication method. The CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN communication, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.

The gateway apparatus 102 includes a control device 102 a, an ECU-side bus communication device 102 b, an external-tool-side bus communication device 102 c, an authentication device 102 d, an authentication control device 102 e, a communication control device 102 f, a filtering device 102 g, and an authentication maintain device 102 h. The authentication device 102 d can correspond to an example of authentication means or device, and an example of second authentication means or device. The authentication control device 102 e can correspond to an example of authentication control means or device, and an example of authentication control means or device. The communication control device 102 f can correspond to an example of communication control means or device, and an example of communication control means or device. The authentication maintain device 102 h can correspond to an example of authentication maintain means or device, and an example of authentication maintain means or device.

The control device 102 a includes a microcomputer. By executing a control program with the microcomputer, the control device 102 a controls operations of the ECU-side bus communication device 102 b, the external-tool-side bus communication device 102 c, the authentication device 102 d, the authentication control device 102 e, the communication control device 102 f, the filtering device 102 g, and the authentication maintain device 102 h. The ECU-side bus communication device 102 b is connected with the ECU-side bus 106 a, and controls communication, such as data transmission and receipt, with the ECUs 103 and 104. The external-tool-side bus communication device 102 c is connected with the external-tool-side bus 106 b. In a state where the external tool 105 is connected to the connector 107, the external-tool-side bus communication device 102 c controls communications, such as data transmission and receipt, with the external tool 105.

In the situation where the external tool 105 is connected to the connector 107, the authentication device 102 d performs authentication of the external tool 105 (a procedure of the authentication will be described later). Based on a result of the authentication of the external tool 105 by the authentication device 102 d, the authentication control device 102 e sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited. Specifically, when the result of the authentication of the external tool 105 is affirmative, the authentication control device 102 e sets an authenticated state and permits the data communication between the external tool 105 and the access target ECU. When the result of the authentication of the external tool 105 is negative (not affirmative), the authentication control device 102 e does not set the authenticated stat and prohibits the data communication between the external tool 105 and the access target ECU.

Regardless of whether the result of the authentication of the external tool 105 performed by the authentication device 102 d is affirmative or not, the communication control device 102 f sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited. A reason for this exceptional permission is as follows. In a data communication for a vehicle, since it is necessary to always permit a certain part of the data communication, the communication control device 102 f exceptionally permits the data communication for a specified data e.g., the below-described regulation message) between the external tool 105 and the access target ECU. In a situation where the authentication control device 102 e or the communication control device 102 f prohibits the data communication between the external tool 105 and the access target ECU, the filtering device 102 g exceptionally permits only for specified data communication. When the authentication control device 102 e sets the authenticated state, the authentication maintain device 102 h maintains the set authenticated state. That is, when the authentication control device 102 e sets the authenticated state, the authentication maintain device 102 h maintains a period of permitting the data communication between the external tool 105 and the access target ECU

The control device 102 a has an encryption function and a decryption function. Specifically, when the external-tool-side-bus communication device 102 c receives a plaintext command from the external tool 105, the control device 102 a encrypts and rewrites the received plaintext command into an encrypted-text command. When the ECU-side-bus communication device 102 b receives an encrypted-text command from the ECU 103 or the ECU 104, the control device 102 a decrypts and rewrites the received encrypted-text command into a plaintext command. The encryption and description may use a public-key cryptography, in which the encryption is performed with a public-key and the description is performed with a private-key. Alternatively, the encryption and description may use a common-key cryptography, in which the encryption and decryption are performed with a common-key.

The ECU 103 includes a control device 103 a, a bus communication device 103 b, and a vehicle state input device 103 c. The control device 103 a includes a microcomputer. By executing a control program with the microcomputer, the control device 103 a controls the bus communication device 103 b and the vehicle state input device 103 c. The bus communication device 103 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102. The vehicle state input device 103 c receives and inputs a vehicle state from an external device (e.g., various sensors, different ECUs, wireless communication device etc). The vehicle state inputted by the vehicle state input device 103 c may be, for example, a immobilizer state (locked state or unlocked state), an ignition (IG) switch state (on and off), a door state (open state or closed state), or the like.

The ECU 104 includes a control device 104 a and a bus communication device 104 b. The control device 104 a includes a microcomputer. By executing a control program with the microcomputer, the control device 104 a controls the bus communication device 104 b. The bus communication device 104 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102.

It should be noted that if the ECU 103 or 104 is the engine ECU for example, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the engine in addition to the above-described functional blocks. If the ECU 103 or 104 is the door lock ECU, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the door lock mechanism in addition to the above-described functional blocks. The same is applicable to cases where the ECU 103 or 104 is an ECU other than the engine ECU and the door lock ECU. Alternatively, both of the ECU 103 and the ECU 104 receive and input the vehicle states from externals

The external tool 105 includes a control device 105 a, a bus communication device 105 b and an input/output interface (IF) 105 c. The control device 105 a includes a microcomputer. By executing a control program with the microcomputer, the control device 105 a controls operations of the bus communication device 105 b and the input/output interface (IF) 105 c. The bus communication device 105 b is connected with the external-tool-side bus 106 b and controls communications, such as data transmission and receipt, with the gateway apparatus 102. The input/output IF 105 c has a function to accept an input operation from the operator operating the external tool 105, and has a function to issue a notification by, for example, displaying a data.

Specifically, by connecting the external tool 105 to the connector 107 and by performing the input operation to the external tool 105, the operator can rewrite the control program of the access target ECU and read out a data from the access target ECU. The external tool 105 is not limited to a dedicated apparatus for rewriting the control program of the access target ECU and reading out the data from the access target ECU. For example, the external tool 105 may be a cellular phone, a personal digital assistance or the like having the above functions.

Operations will be described with reference to FIGS. 2 to 9. Now, it is assumed that the ECU 104 is the access target ECU and that the external tool 105 transmits a data request command to the access target ECU 104 in order to rewrite the control program of the access target ECU 104 or read out a data from the access target ECU 104.

When the control device 105 a of the external tool 105 determines that the external tool 105 is connected to the connector 107, the control device 105 a transmits an authentication seed request command from the bus communication device 105 b to the gateway apparatus 102. When the control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the authentication seed request command from the external tool 105, the control device 102 a generates an authentication seed at B101 (see FIG. 2) and transmits the generated authentication seed from the external-tool-side-bus communication device 102 c to the external tool 105. The authentication seed includes information used in generating the below-described authentication code, and is written in random number.

When the control device 105 a of the external tool 105 determines that the bus communication device 105 b receives the authentication seed from the gateway apparatus 102, the control device 105 a generates an authentication code based on the authentication seed (while associating the authentication code with the authentication seed) at A101, and the control device 105 a transmits the generated authentication code from the bus communication device 105 b to the gateway apparatus 102. The authentication code is expressed in random number, like the authentication seed. In the above, it is assumed that the external tool 105 does not possess the authentication seed. However, the external tool 105 may possess the authentication seed. In this configuration, the external tool 105 may generate the authentication code based on the authentication seed possessed by the external tool 105 itself and may transmit the generated authentication code from the bus communication device 105 b to the gateway apparatus 102.

In the gateway apparatus 102, when the control device 102 a determines that the external-tool-side-bus communication device 102 c receives the authentication code from the external tool 105, the control device 102 a performs B102. Specifically, at B102, the control device 102 a performs cross-check between the authentication seed, which was transmitted to the external tool 105, and the authentication code received from the external tool 105, and determines whether or not the result of the authentication of the external tool 105 is affirmative.

More specifically, a proper external tool, which is connected to the connector 107 by a proper operator, is equipped with a function to (i) correctly generate an authentication based on the authentication seed received from the gateway apparatus 102 and (ii) transmit the correctly-generated authentication code to the gateway apparatus 102. Therefore, when the proper operator connects the proper external tool to the connector 107, there is match between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes affirmative.

An improper external tool, which may be connected to the connector 107 by a third party having a bad intention, is not equipped with the function to correctly generate the authentication based on the authentication seed received from the gateway apparatus 102. Thus, the improper external tool is unable to correctly generate an authentication code or transmit the authentication code to the gateway apparatus, or may transmit an incorrect authentication code to the gateway apparatus 102. As a result, when a third party having a bad intention connects an improper external tool to the connector 107, there is mismatch between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes not affirmative.

In the gateway apparatus 102, when the control device 102 a determines that the result of the authentication of the external tool 105 is affirmative and the external tool 105 is a proper external tool (YES at B103), the control device 102 a performs B104. At 8104, the control device 102 a transmits am affirmative authentication result response command, which indicates that the result of the authentication is affirmative, from the external-tool-side-bus communication device 102 c to the external tool 105, and additionally, the control device 102 a sets the authenticated state, which is a state where the external tool 105 is authenticated. Within a period during which the authenticated state is set, the control device 102 a permits receipt of a data request command from the external tool 105 and permits the data communication. Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 and prohibits the data communication.

In the external tool 105, when the control device 105 a accepts, for example, the input operation from the operator after the control device 105 a determines that the bus communication device 105 b receives the affirmative authentication response command from the gateway apparatus 102, the control device 105 a transmits the data request command from the bus communication device 105 b to the gateway apparatus in accordance with the input operation. It should be noted that the data request command transmitted from the external tool 105 to the gateway apparatus 102 includes information for identifying the access target ECU 104, which is a destination of the data request command.

The control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the data request command from the external tool 105, the control device 102 a performs 8105. Specifically, at B105, the control device 102 a analyzes the received data request command and determines whether or not it is necessary to perform the authentication of the external tool 105. For example, by determining whether the data request command is a regulation message (regulation command) or a non-regulation message (non-regulation command), the control device 102 a determines whether or not it is necessary to perform the authentication of the external tool 105. The law-regulation message is a message that gives obligation to answer in response to the request from the external tool 105. For example, the regulation message may be a massage that requests a data about, for example, an engine system, or the like. The non-regulation message is a message that does not give obligation to answer in response to the request from the external tool 105. It should be noted that a determination of whether the data request command is a regulation message or a non-regulation message may correspond to a determination of whether the access target ECU 104, which is a transmission destination of the data request command, is a regulation ECU or a non-regulation ECU.

When the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary perform the authentication of the external tool 105 (YES at B105), the control device performs 8106. At 8106, the control device 102 a determines whether the result of the previously-preformed authentication is affirmative or negative. When the control device 102 a determines that the result of the previously-preformed authentication is affirmative (YES at B106), the process proceeds to B107. At B107, the control device 102 a determines whether or not it is necessary to encrypt the data request command. Specifically, the control device 102 a determines whether the data request command is the regulation message or the non-regulation message, thereby determining whether or not it is necessary to encrypt the data request command.

When the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary to encrypt the data request command (YES at B107), the control device 102 a encrypts the data request command (B108) and transmits the encrypted data request command from the ECU-side-bus communication device 102 b to the access target ECU 104. When the control device 102 a determines that the data request command is the regulation message and determines that it is unnecessary to encrypt the data request command (NO at B107), the control device 102 a transmits, without encrypting the data request command, the data request command from the ECU-side-bus communication device 102 b to the access target ECU 104.

As shown in FIG. 3, in the access target ECU 104, when the control device 104 a determines that the bus communication device 104 b receives the data request command from the vehicular gateway apparatus 102, the control device 104 a determines whether or not it is necessary to decrypt the received data request command (C101). Specifically, when the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is the encrypted data request command, the control device 104 a determines that it is necessary to decrypt the data request command (YES at C101). In this case, the control device 104 a decrypts the data request command (C102) and performs data processing according to content of the data request command (C103). The data processing may include rewriting a control program, reading out a data, or the like. When the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is not encrypted, the control device 104 a determines that it is unnecessary to decrypt the data request command (NO at C101). In this case, the control device 104 a performs the data processing according to the content of the data request command (C103).

Upon completion of the data processing, the control device 104 a determines whether or not it is necessary to encrypt a data response command indicative of the completion of the data processing (C104). For example, when the data request command received from the gateway apparatus 102 is encrypted, the control device 104 a determines that it is necessary to encrypt a data response command indicative of the completion of the data processing. When the data request command received from the gateway apparatus 102 was not encrypted, the control device 104 a determines that it is unnecessary to encrypt the data response command indicative of the completion of the data processing. Alternatively, importance degrees of data response commands may be preset, and the control device 104 a may determines whether or not it is unnecessary to encrypt the data response command indicative of the completion of the data processing, regardless of whether or not the data request command received from the gateway apparatus 102 was encrypted.

When the control device 104 a determines that it is necessary to encrypt the data response command (YES at C104), the control device 104 a encrypts the data response command (C105) and transmits the encrypted data response command from the bus communication device 104 b to the vehicular gateway apparatus 102. When the control device 104 a determines that it is unnecessary to encrypt the data response command (NO at C104), the control device 104 a transmits, without encrypting the data response command, the data response command from the bus communication device 104 b to the vehicular gateway apparatus 102.

In the vehicular gateway apparatus 102, the control device 102 a determines that the ECU-side-bus communication device 102 b receives the data response command from the access target ECU 104, the control device 102 a determines whether or not it is necessary to decrypt the received data response command (B109). Specifically, when the control device 102 a determines that the data response command received from the access target ECU 104 is encrypted, the control device 102 a determines that it is necessary to decrypt the received data response command (YES at B109). In this case, the control device 102 a decrypt the encrypted data response command (B110) and transmits the decrypted data response command from the external-tool-side communication device 102 c to the external tool 105. When the control device 102 a determines that the data response command received from the access target ECU 104 is not encrypted, the control device 102 a determines that it is unnecessary to decrypt the received data response command (NO at B109). In this case, the control device 102 a transmits, without decrypting, the data response command from the external-tool-side communication device 102 c to the external tool 105.

As described above, in response to connecting the external tool 105, the control device 102 a of vehicular gateway apparatus 102 performs the authentication of the external tool 105. When a result of the authentication of the external tool 105 is affirmative (YES at B103), the control device 102 a specifies the external tool 105 connected to the connector 107 as a proper external tool 105, and sets the authenticated state (step B104), as illustrated in FIG. 2. Thereafter, the control device 102 a permits receipt of a data request command regardless of whether the data request command is a regulation message or a non-regulation message.

As illustrated in FIG. 4, when the control device 102 a determines that the result of the authentication of the external tool 105 is negative (NO at B103), the control device 102 a specifies the external tool 105 connected to the connector 107 an improper external tool, and does not set the authenticated state. Therefore, when the control device 102 a determines that an data request command from the external tool 105 is a non-regulation message requiring the authentication, the control device 102 a discards the data request command and rejects the receipt of the data request command to reject the data communication (B111), because the result of the previously-performed authentication is negative and the authenticated state is not set. That is, at B111, the control device 102 a rejects the data communication. In this case, the rejection of the receipt of the data request command may include nullifying the data request command without discarding data request command. That is, the rejection of the receipt of the data request command may include prohibiting the processing in line with the content of the data request command.

The above illustration is directed to a situation where, on an as-needed basis, the vehicular gateway apparatus 102 encrypts the data request command received from the external tool 105. Alternatively, the external tool 105 may have a function to encrypt the data request command, and may encrypt the data request command on an as-needed basis.

As described above, when the control device 102 a determines that the result of the authentication is affirmative, the control device 102 a sets the authenticated state to permit the receipt of the data request command from the external tool 105. A period of maintaining the authenticated state is managed in the following ways.

Specifically, the control device 102 a manages the period of maintaining the authenticated state, based on the following first to fourth periods:

(1) A first period from a time when the authenticated state was set to a time a predetermined time has elapsed.

(2) A second period during which an authenticated state maintain request signal is inputted from an external.

(3) A third period during which a vehicle state satisfies a predetermined condition.

(4) A fourth period during which the bus 106 is in a communicating state.

In the following, the first to fourth periods will be illustrated.

(1) The First Period (from a Time when the Authenticated State was Set to a Time a Predetermined Time has Elapsed).

As shown in FIG. 5, in the vehicular gateway apparatus 102, the control device 102 a sets the authenticated state (B104), starts an authentication maintain timer for counting a predetermined time (B112), and monitors whether or not the authentication maintain timer reaches the predetermined time (B113). When the control device 102 a determines that the authentication maintain timer reaches the predetermined time (YES at B113), the control device 102 a ends the authenticated state. In this example, the period of maintaining the authenticated state is managed by the vehicular gateway apparatus 102 alone. The predetermined time to be counted by the authentication maintain timer may be an initial value set in production, or may be a set value which is set and inputted by the operator operating the external tool 105.

(2) The Second Period (a Period During which the Authenticated State Maintain Request Signal is Inputted from an External).

One example is illustrated in FIG. 6. In FIG. 6, after the authenticated state is set (B104), the control device 102 a of the vehicular gateway apparatus 102 maintains the authenticated state within a period during which the control device 102 a determines that the authenticated state maintain request command is received by the external-tool-side-bus communication device 102 c. Upon determining that an authenticated state end request command is received by the external-tool-side-bus communication device 102 c, the control device 102 a ends the authenticated state (B114). In this example, the external tool 105 leads the control of the period of maintaining the authenticated state.

Another example is illustrated in FIG. 7. In FIG. 7, after setting the authenticated state (B104), the control device 102 a of the vehicular gateway apparatus 102 transmits an authenticated state notice command from the ECU-side-bus communication device 102 b to the access target ECU 104, so that the access target ECU 104 transmits the authenticated state maintain request command. Within the period during which the control device 102 a determines that the authenticated state maintain request command from the access target ECU 104 is received by the ECU-side-bus communication device 102 b, the control device 102 a maintains the authenticated state. Upon determining that the authenticated state end request command from the access target ECU is received by the ECU-side-bus communication device 102 b, the control device 102 a ends the authenticated state (B114). In this example, the access target ECU 104 leads the control of the period of maintaining the authenticated state. It should be noted that the predetermined period during which the external tool 105 or the access target ECU 104 periodically transmits the authenticated state maintain request command to the vehicular gateway apparatus 102 may be an initial value set in production or may be a set value which is set and inputted by the operator operating the external tool 105.

(3) The Third Period (a Period During which the Vehicle State Satisfies the Predetermined Condition)

As shown in FIG. 8, in the vehicular gateway apparatus 102, after setting the authenticated state (B104), the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition (B115), by receiving the vehicle state from the ECU 104 through the ECU-side-bus communication device 102 b. For example, the predetermined condition may be one of the followings: the immobilizer is in an unlocked state (released state); the ignition switch is off; and the door is in a closed state. That is, when at least one of the above three conditions is satisfied, the control device 102 a determines that the vehicle state satisfies the predetermined condition (YES at B115). During a period of determining that the vehicle state satisfies the predetermined condition, the control device 102 a maintains the authenticated state. When the control device 102 a determines that the vehicle state becomes failing to satisfy the predetermined condition (NO at B115), the control device 102 a ends the authenticated state. In this case, the vehicular gateway apparatus 102 leads the control of the period of maintaining the authenticated state.

(4) The Fourth Period (the Period During which the Bus 106 is in the Communicating State)

As shown in FIG. 9, after setting the authenticated state (B104), the control device 102 a of the vehicular gateway apparatus 102 determines whether or not the bus 106 is in the communicating state (B116). Specifically, when the control device 102 a determines that one of the ECU-side-bus communication device 102 b and the external-tool-bus communication device 102 b is in the communicating state, the control device 102 a determines that the bus 106 is in the communicating state (YES at 8116). Within the period during which the control device 102 a determines that the bus is in the communicating state, the control device 102 a maintains the authenticated state. Upon determining that the bus 106 is changed into a not-communicating state (NO at B116), the control device 102 a ends the authenticated state (B114). In this case, the vehicular gateway apparatus manages the period of maintaining the authenticated state, based on the communicating state of the bus 106.

As described above, in the present example of the first embodiment, the vehicular gateway apparatus 102 is connected with the bus 106 so as to partition (separate) the external tool 105 from the ECU 103 and the ECU 104. When the external tool 105 is connected, the vehicular gateway apparatus 102 performs the authentication of the external tool 105. When a result of the authentication of the external tool 105 is affirmative, the vehicular gateway apparatus 102 sets the authenticated state, so that the vehicular gateway apparatus 102 permits the receipt of a subsequent data request command from the external tool 105 regardless of whether or not the data request command is a non-regulation message requiring the authentication. When the result of the authentication of the external tool 105 is negative, the vehicular gateway apparatus 102 does not set the authenticated state, so that when the vehicular gateway apparatus 102 determines that a subsequent data request command from the external tool 105 is a non-regulation message requiring the authentication, the vehicular gateway apparatus 102 rejects the receipt of the data request command.

According to the above configuration, even in cases where an improper external tool is connected to the bus 106, the harms resulting from the connection of the improper external tool can be prevented. As a result, it is possible to enhance security. To achieve this advantage, it is unnecessary to change specifications of data communication between the external tool 105 and the ECUs 103, 104. Additionally, since the period of maintaining the authenticated state is managed, it is possible to avoid unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU after cutting off the connection of the external tool. As a result, it is possible to further enhance the security. Additionally, since the authenticating of the external tool 105, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102, it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102. Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.

Additionally, during the period of prohibiting the data communication between the external tool 105 and the access target ECU, the data communication of a specified data (e.g., regulation message) between external tool 105 and the access target ECU is exceptionally permitted. Therefore, while preventing the harms resulting from the connection of the improper external tool, it is possible to ensure the data communication of the specified data.

Second Example o First Embodiment

A second example of the first embodiment will be described with reference to FIGS. 9 and 10.

In the first example of the first embodiment, the vehicular gateway apparatus 102 performs the authentication of the external tool 105, sets the authenticated state and maintains the authenticated state. In an vehicular data communication authentication system 121 of the second example, one of ECUs has an authentication function, so that the one of ECUs is designated as an authentication ECU. Additionally, this authentication ECU performs the authentication of the external tool 105, and the vehicular gateway apparatus 102 sets the authenticated state and maintains the authenticated state.

As shown in FIG. 9, in a vehicular data communication authentication system 111, the authentication ECU 103 includes an authentication device 103 d. The authentication device 103 d is provided as a substitute for the authentication device 103 d of the vehicular gateway apparatus 102 of the first example of the first embodiment. That is, the authentication device 103 d has substantially the same function as the authentication device 103 d.

As shown in FIG. 10, in the authentication ECU 103, when the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102, the control device 103 a performs D101 to D103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 as illustrated in the first example. When the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D103), the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102.

When the control device 102 a of the vehicular gateway apparatus 102 determines that the ECU-side-bus communication device 102 b has received the authentication result affirmative response command from the authentication ECU, the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c. Thereafter, the control device 102 a performs B104 and B112 to B114, which have already illustrated in the first example. Specifically, the authentication ECU 103 performs the authentication of the external tool 105, and the vehicular gateway apparatus 102 sets the authenticated state. Thereafter, the vehicular gateway apparatus 102 maintains the authenticated state until the predetermined time has elapsed since the authenticated state was set. In the above illustration, the authenticated state is maintained only within the predetermined period after the authenticated state is set. However, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the second example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the authentication ECU 103 and the vehicular gateway apparatus 102.

Third Example of First Embodiment

A third example of the first embodiment will be described with reference to FIGS. 12 and 13. In the third example, the vehicular gateway apparatus 102 connected with the bus 106 is absent. The authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are preformed by authentication ECU 103.

Specifically, as shown in FIG. 12, in a vehicular data communication authentication system 131, the authentication ECU 103 includes an authentication device 103 d, an authentication control device 103 e, a communication control device 103 f, a filtering device 103 g, and an authentication maintain device 103 h. The authentication device 103 d, the authentication control device 103 e, the communication control device 103 f, the filtering device 103 g and the authentication maintain device 103 h, respectively, have substantially the same function as the authentication device 102 d, the authentication control device 102 e, the communication control device 102 f, the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.

As shown in FIG. 13, in the authentication ECU 103, the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102, the control device 103 a performs D101 to D103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 as illustrated in the first example. When the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D103), the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b. Additionally, the control device 103 a performs D104 to D107, which correspond to B104 and B112 to B114 performed by the vehicular gateway apparatus 102 of the first example. In the present example also, as is the cases in the first example, the authenticated state can be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the third example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105, sets the authenticated state and maintains the authenticated state, it is possible to omit the vehicular gateway apparatus 102. In the present example, the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g, so that the authentication ECU 103 performs the authentication of the external tool 105 and that the access target ECU 104 sets and maintains the authenticated state. That is, the authentication of the external tool 105, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.

Fourth Example of First Embodiment

A fourth example of the first embodiment will be described with reference to FIGS. 14 and 15. In the fourth example of the first embodiment, the vehicular gateway apparatus 102 is not connected with the bus 106. The authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the access target ECU 104.

Specifically, as shown in FIG. 14, in a vehicular data communication authentication system 131, the access target ECU 104 includes an authentication device 104 c, an authentication control device 104 d, a communication control device 104 e, a filtering device 104 f, and an authentication maintain device 104 g. The authentication device 104 c, the authentication control device 104 d, the communication control device 104 e, the filtering device 104 f and the authentication maintain device 104 g, respectively, have substantially the same functions as the authentication device 102 d, the authentication control device 102 e, the communication control device 102 f, the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.

As shown in FIG. 15, when the control device 104 a of the access target ECU 104 determines that the bus communication device 104 b has received the authentication seed request command from the external tool 105, the control device 104 a performs C106 to C112, which correspond to D101 to D107 performed by the authentication ECU 103 of the third example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the fourth example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, after cutting off the connection of the external tool for example, it is possible to enhance the security. Additionally, since the access target ECU 104 performs the authentication of the external tool 105, sets the authenticated state and maintains the authenticated stat, it is possible to omit the vehicular gateway apparatus 102. In the present example, the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h, so that the access target ECU 104 performs the authentication of the external tool 105 and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.

Fifth Example of First Embodiment

A fifth example of the first embodiment will be described with reference to FIGS. 16 and 17. As shown in FIG. 16, in the fifth example, a communication device 108 is connected with the ECU-side-bus 106 a. Additionally, a center (sever) 109 communicable with the external tool 105 and the communication device 108 via a wide area communication network are present. The center 109 performs the authentication of the external tool 105, and the vehicular gateway apparatus 102 sets and maintains the authenticated state.

Specifically, in a vehicular data communication authentication system 141, the center 109 includes an authentication device 109 a. The authentication device 109 a is provided as a substitute for the authentication device 102 d of the vehicular gateway apparatus 102 of the first example. The authentication device 109 a has substantially the same function as the authentication device 102 d illustrated in the first example.

As shown in FIG. 17, when the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105, the center 109 performs E101 to E103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 illustrated in the first example. When the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E103), the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108.

The control device 102 a of the vehicular gateway apparatus 102 receives the authentication result affirmative response command from the center 109 through the communication device 108. When determining that the control device 102 a receives the authentication result affirmative response command from the communication device 108, the control device 102 a performs B104 and B112 to B114, which have been already illustrated in the first example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the vehicular gateway apparatus 102. Additionally, since the center 109, which is located outside of the vehicular data communication authentication system 141, performs the authentication of the external tool 105, it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.

Sixth Example of First Embodiment

A sixth example of the first embodiment will be described with reference to FIGS. 18 and 19. As shown FIG. 18, in the sixth example, a communication device 108 is connected with the ECU-side-bus 106 a. Additionally, a center (sever) 109 communicable with the external tool 105 and the communication device 108 through a wide area communication network is present. The center 109 performs the authentication of the external tool 105, and the authentication ECU 103 sets and maintains the authenticated state.

As shown in FIG. 19, when the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105, the center 109 performs E101 to E103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 of the first example. When the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E103), the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108.

The control device 103 a of the authentication ECU 103 receives the authentication result affirmative response command from the center 109 through the communication device 108. When determining that the control device 103 a receives the authentication result affirmative response command from the communication device 108, the control device 103 a performs D104 and D107 as illustrated in the second example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the authentication ECU 103 sets and maintains the authenticated state, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the authentication ECU 103. Additionally, since the center 109, which is located outside of a vehicular data communication authentication system 151, performs the authentication of the external tool 105, it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.

Seventh Example of First Embodiment

A seventh example will be described with reference to FIG. 20. In the seventh example, even in cases where it is impossible to directly perform the authentication of the external tool 105, the system enables indirect authentication of the external tool 105 by performing the authentication of the vehicle state. The seventh example can be achieved by using the same functional blocks (FIG. 1) as the first example.

As shown in FIG. 20, the control device 102 a of the vehicular gateway apparatus 102 receives the vehicle state from the ECU 103 through the ECU-side-bus communication device 102 b, thereby specifying the vehicle state (B117). Then the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (B118). For example, the control device 102 a determines whether or not the immobilizer is in the unlocked state, whether or not the ignition switch is off, and whether or not the door is in the closed state.

Specifically, when a proper worker connects a proper external tool to the connector 107, the vehicle state is a normal state in which the immobilizer is in the released state (unlocked state), the ignition switch is off or the door is in the closed state. Thus, in the above situation, it is determined that the result of the authentication of the vehicle state is affirmative. However, when a third party having a bad intention connects a improper external tool to the connector 107, the vehicle state is a abnormal state in which the immobilizer is not in the released state; the ignition switch is not off; or the door is not the not-closed state. Thus, in the above situation, it is determined that the result of the authentication of the vehicle state is not affirmative.

In the gateway apparatus 102, when the control device 102 a determines that the result of the authentication of the vehicle state is affirmative (YES at B119), the control device 102 a performs B104. At B104, the control device 102 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the external-tool-side-bus communication device 102 c. Additionally, the control device 102 a sets the authenticated state, which is a state where the vehicle state is authenticated. Within a period during which the authenticated state is set, the control device 102 a permits receipt of a data request command from the external tool 105 (permits the data communalization). Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 (prohibits the data communalization).

When the authenticated state is set in the above way (B104), the control device 102 a performs B112 to B114 as illustrated in the first example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authenticating of the vehicle states, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102, it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102. Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.

Eighth Example of First Embodiment

An eighth example will be described with reference to FIG. 21. In the eighth example, the authentication ECU performs the authentication of the vehicle state and the vehicular gateway apparatus 102 sets and maintains the authenticated state. The eighth example can be achieved by using the same functional blocks (FIG. 10) as the second example.

As shown in FIG. 21, the control device 103 a of the authentication ECU 103 receives the vehicle state from an external, thereby specifying the vehicle state (D108). Then the control device 103 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (D109). The control device 103 a determines that the result of the he authentication of the vehicle state is affirmative (YES at D110), the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102.

When the control device 102 a of the vehicular gateway apparatus 102 determines that the authentication result affirmative response command from the authentication ECU 103 is received by the ECU-side-bus communication device 102 b, the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c. Thereafter, the control device 102 a performs 8104, and 8112 to B114 as illustrated in the first example. In other words, the authentication ECU 103 performs the authentication of the vehicle state, and the vehicular gateway apparatus 102 sets the authenticated state, and maintains the authenticated state only within the predetermined period after the authenticated state was set. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.

Ninth Example of First Embodiment

A ninth example will be described with reference to FIG. 22. In the ninth example, the authentication ECU 103 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state. The ninth example can be achieved by using the same functional blocks (FIG. 12) as the third example.

As shown in FIG. 22, the control device 103 a of the authentication ECU 103 receives the vehicle state from an external and performs D108 to D110 as illustrated in the seventh example. When the control device 103 a determines that the result of the authentication of the vehicle state is affirmative (YES at D110), the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b. Thereafter, the control device 103 a performs D104 to D107 as illustrated in the third example. In the present example also, as is the cases inn the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state. In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication of the vehicle state, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the authentication ECU 103, it is possible to omit the vehicular gateway apparatus 102. Alternatively, the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g, so that the authentication ECU 103 performs the authentication of the vehicle state and that the access target ECU 104 sets and maintains the authenticated state. In other words, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.

Tenth Example of First Embodiment

A tenth example will be described with reference to FIG. 23. In the tenth example, the access target ECU 104 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state. The tenth example can be achieved by using the same functional blocks (FIG. 14) as the fourth example.

As shown in FIG. 23, the control device 104 a of the access target ECU 104 receives the vehicle state from the ECU 103 through the bus communication device 104 b, thereby specifying the vehicle state (C13). Then the control device 104 a determines whether or not the vehicle state satisfies the predetermined condition, thereby performing the authentication of the vehicle state and determining whether or not a result of the authentication is affirmative or negative (C14). When the result of the authentication is affirmative (YES at C14), the control device 104 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 104 b. Then the control device 104 a performs C109 to C112 as illustrated in the fourth example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.

In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication of the vehicle state, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the access target ECU 104, it is possible to omit the vehicular gateway apparatus 102. Alternatively, the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h, so that the access target ECU 104 performs the authentication of the vehicle state and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.

Other Examples of First Embodiment

The above-illustrated examples do not limit examples of the first embodiment. The first embodiment can be modified and extended in various ways. For example, when (i) the result of the authentication of the external tool 105 is affirmative and (ii) the result of the authentication of the vehicle state is affirmative, the authenticated state may be set. The vehicle state to be authenticate is not limited to the state (locked state, released stated) of the immobilizer, the state (on, off) of the initiation switch, and the state of the door (open state, closed state). Any state can be adopted as long as the state enable a determination as to whether or not a proper operator connects a proper external tool or an improper operator connects an improper external tool. Further, the determination may be used by using a single one of the states or by using a combination of the states. The filtering device 102 g of the vehicular gateway apparatus 102, the filtering device 103 g of the authentication ECU 103, and the filtering device 104 f of the access target ECU 104 may be omissible.

Second Embodiment

A first example of the embodiment will be described with reference to FIGS. 24 to 27. As shown in FIG. 24, in a vehicular data communication system 201, a vehicular data communication apparatus 202 is connected with a bus so as to partition (separate) multiple ECUs including a first ECU 203 and a second ECU 204 from an external tool 205. Each of the ECUs and the external tool 205 serves as a node. The external tool 205 is operable by an operator. A bus connecting the vehicular data communication apparatus 202 and the external tool 205 is called a bus A. That is, the bus A is a bus for data transmission between the vehicular data communication apparatus 202 and the external tool 205. A bus connecting the vehicular data communication apparatus 202 and the first ECU 203 is called a bus B. That is, the bus B is a bus for data transmission between the vehicular data communication apparatus 202 and the first ECU 203. A bus connecting the vehicular data communication apparatus 202 and the second ECU 204 is called a bus C. That is, the bus C is a bus for data transmission between the vehicular data communication apparatus 202 and the second ECU 204. A connector 206, to which the external tool 205 is connectable, is provided on an external tool side of the bus A. When the external tool 205 is connected to the connector 206, the external tool 205 becomes able to communicate with the vehicular data communication apparatus 202.

The bus A, the bust B and the bus C adopt a control device area network (CAN) as a data communication method. The CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN communication, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.

The vehicular data communication apparatus 202 includes a control device 202 a (which can correspond to an example of encryption control device and means), an ECU-side-bus communication device 202 b, an external-tool-side-bus communication device 202 c, an encryption device 202 d, and an encryption table 202 e (which can correspond to an encryption information storage device or means). The control device 202 a includes a microcomputer. By executing a control program with the microcomputer, the control device 202 a controls operations of the ECU-side-bus communication device 202 b, the external-tool-side-bus communication device 202 c and the encryption device 202 d. The ECU-side bus communication device 202 b is connected with the bus B and the bus C, and controls data transmission and receipt between the first ECU 203 and the second ECU 204. The external-tool-side bus communication device 202 c is connected with the bus A. In a state where the external tool 205 is connected to the connector 206, the external-tool-side bus communication device 202 c controls communications, such as data transmission and receipt, with the external tool 205.

By referencing the encryption table 202 e, the encryption device 202 d references the encryption table 202 e to encrypt and rewrite a plaintext data into an encrypted-text data. In the above, the plaintext data to be encrypted may be (i) a plaintext data which the external-tool-side bus communication device 202 c receives from the external tool 205, and (ii) a plaintext data which the ECU-side-bus communication device 202 b receives from the first ECU 203 or the second ECU 204. For each combination of a bus connected with a data source node and a bus connected with a data destination node, the encryption table 202 e stores an encryption information. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bus A and the bus connected with the data destination node is the bus B, the encryption table 202 e stores the encryption information (“encr” in FIG. 24) indicating that the plaintext is to be encrypted. For the case where the bus connected with the data source node is the bus A and the bus connected with the data destination node is the bus C, the encryption table 202 e stores the encryption information (“plain” in FIG. 24) indicating that the plaintext is not to be encrypted.

The first ECU 203 includes a control device 203 a (which can correspond to an example of decryption control device and means), a bus communication device 203 b, a decryption device 203 c, and a decryption table 203 d (which can correspond to an example of decryption information storage device and means). The control device 203 a includes a microcomputer. By executing a control program with the microcomputer, the control device 203 a controls the bus communication device 203 b and the decryption device 203 c. The bus communication device 203 b is connected with the bus B and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202.

The decryption device 203 c decrypts an encrypted-text data received from the vehicular data communication apparatus 202, by rewriting the encrypted-text data into a plain text data when the bus communication device 203 b receives the encrypted-text data from the vehicular data communication apparatus 202. For each bus connected with a data source node, the decryption table 203 d stores decryption information. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bus A, the decryption table 203 d stores “decry” indicating that the encrypted-text data is to be decrypted. For the case where the bus connected with the source node is the bus C, the decryption table 203 d stores “plain” indicating that the plain-text data is not to be decrypted.

The second ECU 204 has substantially the same configuration as the first ECU 203. The second ECU 204 includes a control device 204 a (which can correspond to an example of decryption control device and means), a bus communication device 204 b, a decryption device 204 c, and a decryption table 204 d (which can correspond to an example of decryption information storage device and means). The control device 204 a includes a microcomputer. By executing a control program with the microcomputer, the control device 204 a controls the bus communication device 204 b and the decryption device 204 c. The bus communication device 204 b is connected with the bus C and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202.

The decryption device 204 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 204 b receives the encrypted-text data from the vehicular data communication apparatus 202. For each bus connected with the data source node, the decryption table 204 d stores decryption information. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bust A, the information “plain” indicating that the plain-text data is not encrypted is stored. For the case where the bus connected with the data source node is the bus C, “the information decry” indicating that the encrypted-text data is to be decrypted is stored.

The external tool 205 includes a control device 205 a (which can correspond to a decryption control device and means), a bus communication device 205 b, a decryption device 205 c, a decryption table 205 d (which can correspond to a decryption information storage device and means), an input/output interface (IF) 205 e. The control device 205 a includes a microcomputer. By executing a control program with the microcomputer, the control device 205 a controls operations of the bus communication device 205 b, the decryption device 205 c, and the input/output interface (IF) 205 e. The bus communication device 205 b is connected with the bus A and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202.

The decryption device 205 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 205 b receives the encrypted-text data from the vehicular data communication apparatus 202. The decryption table 205 d stores decryption information for each data bus connected with the data source node. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bus B, the information “decry” indicating that the encrypted-text data is to be decrypted is stored. For the case where the bus connected with the data source node is the bus C, the information “plain” indicating that the plain-text data is not decrypted is stored.

The input/output IF 205 e has a function to accept an input operation from the operator operating the external tool 205, and has a function to issue a notification by, for example, displaying a data. Specifically, by connecting the external tool 205 to the connector 206 and performing the input operation to the external tool 205, the operator can rewrite the control program of an access target ECU and read out a data from the access target ECU. The external tool 205 is not limited to a dedicated node for rewriting the control program of the access target ECU and reading out the data from the access target ECU but the external tool 205 may be a cellular phone, a personal digital assistance or the like having the above functions.

The encryption and decryption may use a public-key cryptography, in which the encryption is performed with a public-key and the decryption is performed with a private-key. Alternatively, the encryption and decryption may use a common-key cryptography, in which the encryption and decryption are performed with a common-key. Various ECUs may be used as the first ECU 203 and the second ECU 204. For example, the first ECU 203 or the second ECU 204 may be one of an engine ECU for controlling an engine, a door lock ECU for controlling operations of a door lock mechanism, a navigation ECU for controlling navigation operations, a meter ECU for controlling operations of a meter (indicator), and the like. For example, when the first ECU 203 or the second ECU 204 is the engine ECU, the first ECU 203 or the second ECU 204 includes a functional block for controlling the engine in addition to the above-described functional blocks. In the example shown in FIG. 24, the number of ECUs is two. However, the number of ECUs may be one, or more than two.

The encryption table and the decryption table are set up based on, for example, the following. Let us assume that the data transmitting through the bus can be classified into a regulation message (i.e., the message that gives obligation to answer in response to the request) and a non-regulation message (i.e., the message that does not give obligation to answer in response to the request). In this case, the encryption table and the decryption table are set up, so that (i) the information indicating that the encryption or decryption is not to be performed is set for the bus connected with the node that transmits and receives the regulation message, and (ii) the information indicating that the encryption or decryption is to be performed is set for the bus connected with the node that transmits and receives the non-regulation message.

Operations will be described with reference to FIGS. 25 to 28. In the following, three situations are illustrated. A first situation is that the external tool 205 and the first ECU 203 perform the data communication. A second situation is that the external tool 205 and the second ECU 204 perform the data communication. A third situation is that the first ECU 203 and the second ECU 204 perform the data communication.

(1) The First Situation (the External Tool 205 and the First ECU 203 Perform the Data Communication)

In this situation, the processes illustrated in FIG. 25 are performed by the external tool 205, the first ECU 203, and the vehicular data communication apparatus 202. As illustrated in FIG. 25, when the external tool 205 is connected to the connector 206, the plain-text data is transmitted from the external tool 205 to the first ECU 203 (data destination node). In this case, when the control device 202 a of the vehicular data communication apparatus 202 determines that the plain-text data is received by the external-tool-side-bus communication device 202 c, the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B201). When the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B201), the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B202), and transmits the encrypted-text data to the first ECU 203 by using the ECU-side-bus communication device 202 b. When the control device 202 a determines that it is not necessary to encrypt the plaintext data (NO at B201), the control device 202 a transmits the plaintext data to the first ECU 203 by using the ECU-side-bus communication device 202 b, without encrypting the plaintext data by using the encryption device 202 d. In the present example, since “encry” is stored for a combination of the bus A connected with the source and the bus B connected with the destination, the control device 202 a encrypts the plaintext data received from the external tool 205, and transmits the encrypted-text data to the first ECU 203.

When the control device 203 a of the first ECU 203 determines that the bus communication device 203 b has received the data, which is addressed to the first ECU 203, from the vehicular data communication apparatus 202, the control device 203 a performs C201. At 0201, by referencing the decryption table 203 d, the control device 203 a determines whether or not it is necessary to decrypt the received data. When the control device 203 a determines that it is necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the encrypted-text data (YES at 0201), the control device 203 a decrypts the encrypted-text data (C202) and performs data processing based on the decrypted data. When the control device 203 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at C201), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (C203). In the present example, since “decry” is stored for the bus A connected with the data source node, the control device 203 a decrypts the encrypted-text data received from the vehicular data communication apparatus 202, and performs the data processing based on the plaintext data. Thereafter, the control device 203 a transmits a plaintext data to the vehicular data communication apparatus 202 by using the bus communication device 203 b.

When the control device 202 a of the vehicular data communication apparatus 202 determines that the external-tool-side-bus communication device 202 c has received the plain-text data, which is addressed to the external tool 205, from the external tool 205, the control device 202 a performs B203. At B203, by referencing the encryption table 202 e, the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B203). When the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at 8203), the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B204), and transmits the encrypted-text data to the external tool 205 by using the external-tool-side-bus communication device 202 c. When the control device 202 a determines that it is not necessary to encrypt the received plain-text data (NO at B203), the control device 202 a transmits the plaintext data to the external tool 205 by using the external-tool-side-bus communication device 202 c, without encrypting the plaintext data by using the encryption device 202 d. In the present example, since “encry” is stored for a combination of the bus B on a source side and the bus A on a destination side, the control device 202 a encrypts the plaintext data received from the first ECU 203, and transmits the encrypted-text data to the external tool 205.

When the control device 205 a of the external tool 205 determines that the bus communication device 205 b has received the data, which is addressed to the external tool 205, from the vehicular data communication apparatus 202, the control device 205 a performs A201. At A201, by referencing the decryption table 205 d, the control device 205 a determines whether or not it is necessary to decrypt the received data. When the control device 205 a determines that it is necessary to decrypt the received data, in other words, when the control device 205 a determines that the received data is the encrypted-text data (YES at A201), the control device 205 a decrypts the encrypted-text data (A202) and performs data processing based on the decrypted data (A203). When the control device 205 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at A201), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (A203). In the present example, since “decry” is stored for the bus B on the source side, the control device 205 a decrypts the decrypted-text data received from the vehicular data communication apparatus 202 to obtain a plaintext data and performs the data processing based on the plaintext data

As described above, the vehicular data communication apparatus 202 stores “encry” for the combination of the bus A on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from the external tool 205, the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the first ECU 203. Moreover, the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from the first ECU 203, the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the external tool 205.

(2) The Second Situation (the External Tool 205 and the Second ECU 204 Perform the Data Communication)

As shown in FIG. 26, the vehicular data communication apparatus 202 performs step B211 and 8212, and then, the second ECU 204 performs D211 to D213, and then the vehicular data communication apparatus 202 performs B213 and B214, and then the external tool 205 performs A211 to A213. In the present example, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus A on the data source side and the bus C on the data destination side. Thus, upon receipt of the plaintext data from the external tool 205, the vehicular data communication apparatus 202 transmits the received plaintext data to the second ECU 204 without encrypting the received plaintext data. Moreover, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204, the vehicular data communication apparatus 202 transmits the received plaintext data to the external tool 205 without encrypting the received plaintext data.

(3) The Third Situation (the First ECU 203 and the Second ECU 204 Perform the Data Communication).

As shown in FIG. 27, the vehicular data communication apparatus 202 performs step B221 and B222, and then, the second ECU 204 performs D221 to D223, and then the vehicular data communication apparatus 202 performs B223 and B224, and then the first ECU 203 performs C221 to C223. In the present example, the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus C on the data destination side. Thus, upon receipt of the plaintext data from the first ECU 203, the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the second ECU 204. Moreover, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204, the vehicular data communication apparatus 202 transmits the received plaintext data to the first ECU 203 without encrypting the received plaintext data.

In the first example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each combination of a bus connected with a data source node and a bus connected with a data destination node, the encryption information (the encryption table) indicating whether or not the data is to be encrypted is uniformly managed by the vehicular data communication apparatus 202. Additionally, for each bus connected with the data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204.

Accordingly, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. For example, it is possible to use a processing capacity (e.g., a memory capacity), which is not unlimited, for a primary function, and it is possible to ensure fulfilling the primary function. It should be noted that if the encryption or the decryption causes the failure to fulfill the primary function (e.g., processing delay), a negative influence may be give on, for example, vehicle control during the vehicle traveling. Therefore, the configuration of the present example is remarkably advantageous in a system in which the ECU serves as a node. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication. Specifically, even if an improper external tool is connected to the bus, a data transmitted from the improper external tool is not supported by the encryption of the vehicular data communication apparatus 202, and thus, it becomes possible to prevent the improper rewriting of the control programs of the first ECU 203 and the second ECU 204 and the improper reading out of the first ECU 203 and the second ECU 204.

Moreover, even when multiple nodes transmitting a data needed to be encrypted are connected with the same bus and/or even when multiple nodes transmitting a data unneeded to be encrypted are connected with the same bus, an encryption table and/or an decryption table targeted for respective individual nodes are not required to be set up. Instead, the encryption table and/or the decryption table targeted for respective individual nodes are set up. Therefore, a work for setting up the encryption table and/or the decryption table is simple.

Although the above illustration is directed to the system in which the first ECU 203 is connected with the vehicular data communication apparatus 202 through the bus B, ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 are connected with the vehicular data communication apparatus 202 through the bus B. Specifically, as shown in FIG. 28, in the vehicular data communication system 211, the first ECU 203 and a third ECU 207 may be connected with the vehicular data communication apparatus 202 through the bus B. In this configuration, the third ECU 207 stores the same decryption table as the first ECU 203 stores, so that the third ECU 207 can performs substantially the same process as the first ECU 203. It should be noted that when the first ECU 203 and the third ECU 207 perform the data communication, the encryption table stored in the vehicular data communication apparatus 202 is not used, because the vehicular data communication apparatus 202 does not relay the data. The same is applied to cases where the second ECU 204 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C.

Second Example of Second Embodiment

A second example of the second embodiment will be described with reference to FIGS. 29 and 30. In the second example, for each combination of a data source node and a data destination node, the encryption table is uniformly managed by the vehicular data communication apparatus 202 relaying a data. For each data source node, the decryption table is uniformly managed by the external tool 205, the first ECU 203, and the second ECU 204. In the second example, for example, the information indicating that the decryption or the encryption is not to be performed is set for a node that transmits and receives a non-regulation message. The information indicating that the decryption or the encryption is to be performed is set for a node that transmits and receives a regulation message.

In a vehicular data communication system 221, the vehicular data communication apparatus 202 is connected with the first ECU 203 and the second ECU 204 through the bus B. The vehicular data communication apparatus 202 stores the encryption information as the encryption table 202 e for each combination of a data source node and a data destination node. For example, as illustrated in FIG. 29, for the case where the data source node is the external tool 205 and the data destination node is the first ECU 203, the stored encryption information indicates that the plaintext data is to be encrypted. For the case where the data source node is the external tool 205 and the data destination node is the second ECU 204, the stored encryption information indicates that the plaintext data is not to be encrypted

For each data source node, the first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated in FIG. 29, for the case where the data source node is the external tool 205, the stored decryption information indicates that the encrypted-text data is to be decrypted. Likewise, for each data source node, the second ECU 204 stores the decryption information as the decryption table 204 d. For example, as illustrated in FIG. 29, for the case where the data source node is the external tool 205, the stored decryption information indicates that the plaintext data is not to be decrypted. Likewise, for each data source node, the external tool 205 stores the decryption information as the decryption table 205 d. For example, as illustrated in FIG. 29, for the case where the data source node is the first ECU 203, the stored decryption information indicates that the encrypted-text data is to be decrypted. For the case where the data source node is the second ECU 204, the stored decryption information indicates that the plain-text data is not to be decrypted.

In the second example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each combination of a data source node and a data destination node, the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204.

Accordingly, the second example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.

Moreover, even when multiple nodes transmitting a data needed to be encrypted are connected with the same bus and/or even when multiple nodes transmitting a data unneeded to be encrypted are connected with the same bus, it is possible to appropriately encrypt only the data needed to be encrypted, by setting the encryption tables and/or the decryption tables for respective individual nodes. Additionally, it is possible to flexibly deal with node addition and node deletion.

The above illustration is directed to the system in which the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B. However, ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through multiple buses including the bus B. For example, as illustrated in FIG. 30, in a vehicular data communication system 231, the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B, and additionally, the third ECU 207 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C. In this case, the vehicular data communication apparatus 202 stores the encryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node and the data destination node. Each of the first ECU 203, the second ECU 204 and the external tool 205 stores the decryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node.

Third Example of Second Embodiment

A third example of the second embodiment will be described with reference to FIGS. 31 and 32. In the third example, the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each identifier (CAN_ID) indicative of type of a data frame storing a data. For each identifier (CAN_ID) indicative of type of a data frame storing a data, the decryption table is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204. In the third example, for example, the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the regulation message. The information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the non-regulation message. The CAN_ID refers to information identifying data content or the like, and has 11-bit length in standard format, as illustrated in FIG. 32.

In a vehicular data communication system 241, for each CAN_ID indicative of the type of the data frame, the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e. For example, as illustrated in FIG. 31, for the case where the data frame has the CAN_ID “700”, the stored encryption information indicates that the plaintext data is to be encrypted. For the case where the data frame has the CAN_ID “701”, the stored encryption information indicates that the plaintext data is not to be encrypted.

For each CAN_ID indicative of the type of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated in FIG. 31, for the case where the data frame has the CAN_ID “700”, the stored decryption information indicates that the plaintext data is to be decrypted. For the case where the data frame has the CAN_ID “701”, the stored encryption information indicates that the plaintext data is not to be decrypted. Likewise, the second ECU 204 stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 204 d. The external tool 205 also stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 205 d.

In the third example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each CAN_ID, the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each CAN_ID, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204.

Accordingly, the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.

Moreover, by setting the encryption tables and the decryption tables for respective individual data frames, it is possible to appropriately encrypt only the data needed to be encrypted, even when the same single node transmits both of the data frame storing the data needed to be encrypted and the data frame storing the data unneeded to be encrypted.

Fourth Example of Second Embodiment

A fourth example of the second embodiment will be described with reference to FIG. 33. In the fourth example, the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each data storage area (data field) of a data frame storing a data. For each data storage area (data field) of a data frame storing a data, the decryption table is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204. In the fourth example, for example, the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the regulation message. The information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the non-regulation message.

In a vehicular data communication system 251, for each data storage area of the data frame, the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e. For example, as illustrated in FIG. 33, for a plaintext data stored in “0 to 4 byte” of the data field of the data frame having “800” as the CAN_ID, the stored encryption information indicates that the plaintext data is to be encrypted. For a plaintext data stored in “5 to 8 byte”, the stored encryption information indicates that the plaintext data is not to be encrypted.

For each data storage area of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated in FIG. 33, for an encrypted-text data stored in “0 to 4 byte” of the data field of the data frame having “800” as the CAN_ID, the stored decryption information indicates that the encrypted-text data is to be decrypted. For a plaintext data stored in “5 to 8 bytes”, the stored decryption information indicates that the plaintext data is not to be decrypted. Likewise, the second ECU 204 stores, for each data storage area of the data frame, the decryption information as the decryption table 204 d. The external tool 205 also stores, for each data storage area of the data frame, the decryption information as the decryption table 205 d.

In the fourth example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each data field (for each data storage area of the data frame), the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data field (for each data storage area of the data frame), the data destination node uniformly manages the decryption information (the decryption table) indicating whether or not the data is to be decrypted. The data destination node is, for example, the external tool 205, the first ECU 203 and the second ECU 204.

Accordingly, the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.

Moreover, by setting the encryption tables and the decryption tables for respective individual data storage areas, it is possible to appropriately encrypt only the data needed to be encrypted, even when the node transmits the data frame having both of the data needed to be encrypted and the data unneeded to be encrypted.

Other Examples of Second Embodiment

The second embodiment is not limited to the above-illustrated examples, and can be modified and extended in, for example, the following way. Two or more of the first to fourth examples may be combined. Specifically, the system may employ the tow or more of: a configuration in which the encryption information and the decryption information are managed on a bus-by-bus basis; a configuration in which the encryption information and the decryption information are managed on a node-by-node basis; a configuration in which the encryption information and the decryption information are managed on a CAN_ID-by-CAN_ID basis; and a configuration in which the encryption information and the decryption information are managed on a data-field-by-data-field basis. Some of the multiple ECUs may have some of the functions of the vehicular data communication apparatus 202. Specifically, the vehicular data communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data. For example, an ECU having a high processing capacity may be provided in the system, so that, while fulfilling its primary function, the ECU encrypts a data by determining whether or not to encrypt the data.

The present disclosure is not limited the above embodiments and modifications thereof. That is, the above embodiments and modifications thereof may be modified in various ways without departing from the sprit and scope of the present disclosure. 

What is claimed is:
 1. A vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, the vehicular data communication authentication system comprising: an authentication device that performs authentication of the external tool connected to the bus; an authentication control device that: determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative; when determining that the result of the authentication of the external tool is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and when determining that the result of the authentication of the external tool is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
 2. The vehicular data communication authentication system according to claim 1, further comprising: a vehicular gateway apparatus that partitions the external tool from the ECUs, wherein: the authentication device, the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
 3. The vehicular data communication authentication system according to claim 1, further comprising: a vehicular gateway apparatus that partitions the external tool from the ECUs, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; the authentication device is provided in the vehicular gateway apparatus; and the authentication control device and the authentication maintain device are provided in the authentication ECU.
 4. The vehicular data communication authentication system according to claim 1, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; the authentication device is provided in the authentication ECU; and the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
 5. The vehicular data communication authentication system according to claim 1, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; and the authentication device, the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
 6. The vehicular data communication authentication system according to claim 1, further comprising: a center that is communicable with the external tool; and a vehicular gateway apparatus that partitions the external tool from the ECUs, wherein: the authentication device is provided in the center; and the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
 7. The vehicular data communication authentication system according to claim 1, further comprising: a center that is communicable with the external tool, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; the authentication device is provided in the center; and the authentication control device and the authentication maintain device are provided in the authentication ECU.
 8. The vehicular data communication authentication system according to claim 1, further comprising: a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
 9. A vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, the vehicular data communication authentication system comprising: an authentication device that performs authentication of a vehicle state; an authentication control device that: determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative; when determining that the result of the authentication of the vehicle state is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and when determining that the result of the authentication of the vehicle state is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
 10. The vehicular data communication authentication system according to claim 9, further comprising a vehicular gateway apparatus that partitions the external tool from the ECUs, wherein: the authentication device, the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
 11. The vehicular data communication authentication system according to claim 9, further comprising a vehicular gateway apparatus that partitions the external tool from the ECUs, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; the authentication device is provided in the vehicular gateway apparatus; and the authentication control device and the authentication maintain device are provided in the authentication ECU.
 12. The vehicular data communication authentication system according to claim 9, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; the authentication device is provided in the authentication ECU; and the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
 13. The vehicular data communication authentication system according to claim 9, wherein: the ECUs include an authentication ECU, which is provided separately from the access target ECU; and the authentication device, the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
 14. The vehicular data communication authentication system according to claim 9, further comprising: a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
 15. A vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, the vehicular gateway apparatus comprising: an authentication device that performs authentication of the external tool connected to the bus; an authentication control device that: determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative; when determining that the result of the authentication of the external tool is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU, and when determining that the result of the authentication of the external tool is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
 16. The vehicular gateway apparatus according to claim 15, further comprising: a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
 17. A vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, the vehicular gateway apparatus comprising: an authentication device that performs authentication of a vehicle state; an authentication control device that: determines whether or not a result of authentication of the vehicle state preformed by the authentication device is affirmative; when determining that the result of authentication of the vehicle state is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and when determining that the result of authentication of the vehicle state is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
 18. The vehicular gateway apparatus according to claim 17, further comprising: a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU for only a specified data. 